----- Original Message -----
From: "Thorsten Leemhuis" <fedora leemhuis info>
To: <fedora-advisory-board redhat com>
Sent: Friday, November 03, 2006 9:19 AM
Subject: Re: [fab] looking at our surrent state a bit
> >> == MISC ==
> >>
> >> * I got the impression (and LWN readers, too ["hello corbert! "]) that
> >> Fedora Legacy is not able to do it's job properly. Maybe it's time to
> >> just revamp the whole project?
> > How?
>
> Give it a fresh start, a new name (because the Term "Fedora Legacy" has
> such a bad fame now), maybe try to get the load reduced (only support
> releases with odd number for a longer time, drop old releases).
Current Fedora Legacy status: see http://fedoraproject.org/wiki/Legacy/Status
Thank you, Thorsten, for having the guts to say it -- at least about Legacy's reputation/infamy now. Of course, corbet had the guts to say it first here:
http://lwn.net/Articles/204722/. Thanks, corbet. It needed to be said.
The Fedora Project NEEDS Fedora Legacy! I repeat: The Fedora Project NEEDS Fedora Legacy in order to be a viable Linux distribution to be used for anything other than pushing the latest and greatest software out the door for Linux afficianados to play with and submit bugzilla tickets for. As Matthew Miller said at the beginning of Fedora Legacy's thread "lwn article on the death of Fedora Legacy,"
"Without a functioning lifespan of over a year, Fedora is
only practically useful as an enthusiast, bleeding-edge
distro. That's only supposed to be _part_ of its mission."
-- http://tinyurl.com/ycl3zp
Fedora Board, please take heed. Although providing a stable, long-term operating system/environment is *not* one of Fedora Project's stated goals, the practical lifetime of a Fedora release of 1 year (without Legacy to be there to security-maintain them for (at least) 1 more year) is ... ridiculous -- except for the Linux enthusiast and those who love sliding down the razor-blade of computing.
The Fedora Legacy build team seems to be down now to 1 or 2 builders who can push packages to Legacy's updates-testing and updates. I am one of that team now, and am the slowest, most pedantic RPM packager/signer/pusher that you'd never wanna meet. The most sure-fire way of killing Fedora Legacy is to let me be the only one doing this essential activity with Fedora Legacy Core packages that need security updates in a timely fashion.
Is this really what the Fedora Board and Red Hat wants?
Although I am amid working with pushing a gzip security bug ( http://tinyurl.com/yhvh4a ) to updates-testing in the last few days, in general, Legacy Security Updates for FC3 and FC4 are simply not happening. Hopefully by Tuesday or so, this FC3/FC4 bug will at least be in updates-testing for folks to play with and judge, so it can quickly be pushed
to updates (only about 2 months after Red Hat Enterprise Linux pushed similar
security updates on these issues).
In the history of the Fedora Legacy project, IMNSHO it has not been often that updates have been released quickly to end-users (after an security hole has been made public), unless there was a hue-and-cry over on the Fedora-legacy-list about, say, sendmail or some other server program that might allow, say, remotely-controlled anonymous root access to someone's box.
I would love to see Fedora Legacy (by that name or any other name) take off and prosper, and be a real boon to users of maintenance-mode Fedora Core (and Red Hat Linux -- yes, we are continuing to roll some updates to RHL 7.3 and RHL9 until December ... um ... at least I think we are??). But as some folks have clearly said, until it does, at least to take care of the *critical* security bugs (letting the moderate or important or low-security-impact bugs slide until we have the manpower to handle them) -- THE EXISTENCE OF FEDORA LEGACY IS PROVIDING A FALSE SENSE OF SECURITY FOR OUR END-USERS ... at least at this time.
If you don't believe that -- look at this article about Fedora Core 6 on eWeek Magazine's web-site, by the excellent writer, Jason Brooks:
http://www.eweek.com/article2/0,1895,2048117,00.asp
It's not the article, really, that proves my point. It's the article's talkback. I wish what commenter "unoengborg" was saying were true. Really, really, really wish. But it ain't -- not yet. Will it ever be?
That's up to you, dear reader.
I would like to propose a time folks interested in a vital and alive (even revamped) FedoraLegacy project can come on over to IRC (freenode.net) and sit and yack awhile, brainstorming and struggling with these issues. I plan to be online over on channel #fedora-legacy around 10am CST for at least two hours every day this week.
Come by. Come chat. Come yell! Just come! We need your help!
Thank you.
Warm regards,
David Eisenstein